Winter 2023 Product Enhancement Recap: Stopping Email Platform Attacks Before They Snowball

This winter, Abnormal added three new Knowledge Bases, multi-tenant management, and more to protect cloud users against email platform attacks.
January 31, 2023

During these cold, dark months, Abnormal was heating up, lighting the path to email security success as we released a variety of product enhancements aimed at solving the broader problems surrounding the cloud email platform… How do organizations protect the email platform itself? How can you effectively secure and manage a fragmented, multi-tenant environment? Is there a way to better understand how users are behaving? Is there a singular location where security leaders can see their third-party applications and understand what each one is allowed to do?

We sought to find answers to those questions. A term you’ll hear from Abnormal quite often is “email platform attack,” which is a growing threat to organizations. This segment of the threat landscape involves attacks that tend to skip traditional phishing tactics in favor of directly compromising cloud email environments. One common example is an organization that has not disabled legacy authentication in Microsoft 365. This one, seemingly innocuous configuration allows attackers to bypass MFA entirely—something we saw in the news earlier this year.

So, what has Abnormal actually released this quarter? Let’s dig in.

Three New Knowledge Bases

The first stop on our Winter Wonderland Tour is at our new Knowledge Bases.

You may already be familiar with VendorBase™, a Knowledge Base aimed at detecting unusual vendor activity, scoring vendors based on risk, and blocking those vendors that are deemed to be a threat to your organization. In a similar fashion, these new Knowledge Bases ingest thousands of signals across your cloud email platform to build dynamic behavioral profiles connecting your users, integrated third-party applications, and mail tenants.

Putting this data directly into your Abnormal Portal can enrich investigation when anomalous activity is detected for a given user, as well as enhance your application and tenant hygiene. Better data leads to better decisions, and better decisions lead to a more secure email environment.


AppBase centralizes app activity data, permissions, and key metadata for all applications integrated into your cloud email platform. We already see many of our customers using AppBase to uncover previously unknown applications lurking as shadow IT within their cloud email platform.

Product Enhance1

Beyond this hygiene use case though, AppBase can be used to identify risky applications—whether over-permissioned or simply unusual—and then track ongoing activity to conduct a thorough and expeditious investigation. AppBase helps you discover whether the app is truly malicious, or if it’s a simple case of a savvy user skirting install policies to download a fancy new calendar extension.

Product Enhance2

At the end of the day, either scenario presents a risk, and it’s crucial to identify it so you can determine the next course of action.


Applications don’t install themselves, so the nexus for all suspicious activity is often the users in your environment. PeopleBase provides a directory of each of the active users on your cloud email platform. It uses contextual, behavioral data to build a dynamic user genome, along with an activity timeline of recent events such as sign-on patterns, suspicious email activity, common devices and IP addresses, and more.

Product Enhance3

PeopleBase provides insight into malicious email trends for a given user, configuration changes that user has executed, and applications the user has recently installed. And in addition, Abnormal paints a comprehensive portrait of who your users are, where they are, and what they’re doing—helping you then determine if they are who they say they are.


Whether you have one mail tenant or fifty, these hubs of activity that ultimately constitute the surface of the cloud email platform can open the door to a variety of risks. TenantBase provides a catalog of each of the email tenants Abnormal Security protects, along with a running timeline that documents changes to conditional access policies, new users, user privilege changes, and new app integrations. Many recent attacks have been executed by attackers gaining access and compromising mail tenants, so it is critical to remain aware of changes as they occur.

Product Enhance4

All three new Knowledge Bases, as well as the existing VendorBase, are now available for free inside the Abnormal platform.

Security Posture Management

With any great snowman, you need a robust base: the Knowledge Bases. But think of Security Posture Management,our newest add-on product, as the body, coal, and carrot of your Abnormal Frosty.

Product Enhance5

Security Posture Management uses the data within the behavioral profiles built by PeopleBase, AppBase, and TenantBase to determine when a potentially harmful or unexpected configuration change has occurred. It then highlights these changes to administrators, helping security teams understand and take action to fill configuration gaps, as Abnormal works to improve the risk posture of cloud email environments.

Product Enhance6

With dynamic monitoring aimed at surfacing only high-impact changes to cut down on noise, actionable configuration insights to help you understand exactly what occurred, and workflow management that provides a quick path to acknowledge and identify next steps, Security Posture Management completes the cloud email security puzzle by proactively defending against email platform threats. Meanwhile, Abnormal’s best-in-class Inbound Email Security continues to handle those threat actors in the inbox.

Multi-Tenant Management

What do holding companies and organizations that have undergone a recent merger or acquisition have in common? First, probably something about winter since that’s the theme of the article… Perhaps they are in the middle of a financial freeze? Secondly, they need a way to effectively manage and secure multiple mail tenants.

Product Enhance7

Abnormal has answered this call with its new Multi-Tenant Management functionality. Gone are the days of long and arduous processes to manually link new tenants to the Abnormal portal. In three simple steps, our customers can now add a child tenant and then configure appropriate role-based access controls (RBAC) as needed. Here is the workflow:

  1. Navigate to Settings and click Add New Tenants.

  2. Name the new tenant.

  3. Grant access to the workspace.

I don’t know about you, readers, but I’m exhausted from typing that. I need a hot chocolate.

What’s Coming in Spring 2023?

Winter may be on its way out, but Abnormal is just getting started this year. Schedule a demo today to discover more from Abnormal, or if you’re already a customer, chat with our customer success team to receive answers to all of your questions.

Either way, be on the lookout for our Spring update … and beyond. Happy recap to all, and to all a good night.

Interested in learning more about the Abnormal platform? Schedule a demo today!

Schedule a Demo
Winter 2023 Product Enhancement Recap: Stopping Email Platform Attacks Before They Snowball

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Posts

B Mr Wonderful Talks AI
Explore the future of AI and cybersecurity and learn why prioritizing security investments is crucial with Kevin O’Leary of Shark Tank fame.
Read More
B 1500x1500 MKT468a Open Graph Images for Phishing Subjects Blog
Discover the most engaging phishing email subjects, according to Abnormal data, and how to protect your organization from these scams.
Read More
B Threat Report BEC VEC Blog
Our H1 2024 Email Threat Report revealed significant year-over-year increases in both business email compromise and vendor email compromise. Learn more.
Read More
B 2 7 24 Product Update
Abnormal product enhancements improve detection efficacy, reporting on QR code attacks, productivity, and protection from account takeover.
Read More
B 1500x1500 Quishing Stats Blog 02 05 24
Today we released our H1 2024 Email Threat Report, which examines the threat landscape and dives into the latest evolution in phishing: QR code attacks.
Read More
B 1 30 23 Microsoft ATO
A recent nation-state actor attack by the Russian-backed threat group Midnight Blizzard infiltrated Microsoft. Discover how Abnormal can protect you from account takeovers in real time.
Read More